Revert "subtree updates"

Needs to go through CI This reverts commit fc7e7973f3119e2bad511209aa336537dc5ffbed.
author: Andrew Geissler <geissonator@yahoo.com> 2023-09-11 15:36:15 +0300
committer: Andrew Geissler <geissonator@yahoo.com> 2023-09-11 15:36:15 +0300
commit: 80d41842d41c701edac5b2c768da574f260fa6a3 (patch)
tree: 7d58015c844bd241f3c1737b1af0d4b53dfe8c67 /meta-security
parent: fc7e7973f3119e2bad511209aa336537dc5ffbed (diff)
download: openbmc-80d41842d41c701edac5b2c768da574f260fa6a3.tar.xz
10 files changed, 398 insertions, 42 deletions
diff --git a/meta-security/conf/layer.conf b/meta-security/conf/layer.conf
index 3e8db1f17c..a436f97e87 100644
--- a/meta-security/conf/layer.conf
+++ b/meta-security/conf/layer.conf
@@ -9,7 +9,7 @@ BBFILE_COLLECTIONS += "security"
 BBFILE_PATTERN_security = "^${LAYERDIR}/"
 BBFILE_PRIORITY_security = "8"
 
-LAYERSERIES_COMPAT_security = "nanbield"
+LAYERSERIES_COMPAT_security = "mickledore"
 
 LAYERDEPENDS_security = "core openembedded-layer"
 
diff --git a/meta-security/meta-hardening/conf/layer.conf b/meta-security/meta-hardening/conf/layer.conf
index c499e60a2b..4bc1cac2f0 100644
--- a/meta-security/meta-hardening/conf/layer.conf
+++ b/meta-security/meta-hardening/conf/layer.conf
@@ -8,7 +8,7 @@ BBFILE_COLLECTIONS += "harden-layer"
 BBFILE_PATTERN_harden-layer = "^${LAYERDIR}/"
 BBFILE_PRIORITY_harden-layer = "6"
 
-LAYERSERIES_COMPAT_harden-layer = "nanbield"
+LAYERSERIES_COMPAT_harden-layer = "mickledore"
 
 LAYERDEPENDS_harden-layer = "core openembedded-layer"
 
diff --git a/meta-security/meta-integrity/conf/layer.conf b/meta-security/meta-integrity/conf/layer.conf
index d00298ac8b..7a9c1d188c 100644
--- a/meta-security/meta-integrity/conf/layer.conf
+++ b/meta-security/meta-integrity/conf/layer.conf
@@ -20,7 +20,7 @@ INTEGRITY_BASE := '${LAYERDIR}'
 # interactive shell is enough.
 OE_TERMINAL_EXPORTS += "INTEGRITY_BASE"
 
-LAYERSERIES_COMPAT_integrity = "nanbield"
+LAYERSERIES_COMPAT_integrity = "mickledore"
 # ima-evm-utils depends on keyutils from meta-oe
 LAYERDEPENDS_integrity = "core openembedded-layer"
 
diff --git a/meta-security/meta-parsec/conf/layer.conf b/meta-security/meta-parsec/conf/layer.conf
index 503953a881..b162289748 100644
--- a/meta-security/meta-parsec/conf/layer.conf
+++ b/meta-security/meta-parsec/conf/layer.conf
@@ -8,7 +8,7 @@ BBFILE_COLLECTIONS += "parsec-layer"
 BBFILE_PATTERN_parsec-layer = "^${LAYERDIR}/"
 BBFILE_PRIORITY_parsec-layer = "5"
 
-LAYERSERIES_COMPAT_parsec-layer = "nanbield"
+LAYERSERIES_COMPAT_parsec-layer = "mickledore"
 
 LAYERDEPENDS_parsec-layer = "core clang-layer"
 BBLAYERS_LAYERINDEX_NAME_parsec-layer = "meta-parsec"
diff --git a/meta-security/meta-tpm/conf/layer.conf b/meta-security/meta-tpm/conf/layer.conf
index 8075706269..1f270317cc 100644
--- a/meta-security/meta-tpm/conf/layer.conf
+++ b/meta-security/meta-tpm/conf/layer.conf
@@ -8,7 +8,7 @@ BBFILE_COLLECTIONS += "tpm-layer"
 BBFILE_PATTERN_tpm-layer = "^${LAYERDIR}/"
 BBFILE_PRIORITY_tpm-layer = "6"
 
-LAYERSERIES_COMPAT_tpm-layer = "nanbield"
+LAYERSERIES_COMPAT_tpm-layer = "mickledore"
 
 LAYERDEPENDS_tpm-layer = " \
     core \
diff --git a/meta-security/recipes-compliance/scap-security-guide/files/0001-scap-security-guide-add-openembedded-distro-support.patch b/meta-security/recipes-compliance/scap-security-guide/files/0001-scap-security-guide-add-openembedded-distro-support.patch
new file mode 100644
index 0000000000..0db2b1203c
--- /dev/null
+++ b/meta-security/recipes-compliance/scap-security-guide/files/0001-scap-security-guide-add-openembedded-distro-support.patch
@@ -0,0 +1,388 @@
+From 826dd5b109f79270819703a23cc8066895d68042 Mon Sep 17 00:00:00 2001
+From: Armin Kuster <akuster808@gmail.com>
+Date: Wed, 14 Jun 2023 07:46:55 -0400
+Subject: [PATCH 1/2] scap-security-guide: add openembedded distro support
+
+includes a standard profile for out-of-the-box checks
+
+Signed-off-by: Armin Kuster <akuster808@gmail.com>
+
+Upstream-Status: Pending
+https://github.com/ComplianceAsCode/content/pull/10793
+Signed-off-by: Armin Kuster <akuster808@gmail.com>
+
+---
+ CMakeLists.txt                                |   5 +
+ build_product                                 |   1 +
+ products/openembedded/CMakeLists.txt          |   6 +
+ products/openembedded/product.yml             |  19 ++
+ .../openembedded/profiles/standard.profile    | 166 ++++++++++++++++++
+ .../openembedded/transforms/constants.xslt    |  10 ++
+ .../oval/installed_OS_is_openembedded.xml     |  33 ++++
+ .../oval/sysctl_kernel_ipv6_disable.xml       |   1 +
+ ssg/constants.py                              |   5 +-
+ 9 files changed, 245 insertions(+), 1 deletion(-)
+ create mode 100644 products/openembedded/CMakeLists.txt
+ create mode 100644 products/openembedded/product.yml
+ create mode 100644 products/openembedded/profiles/standard.profile
+ create mode 100644 products/openembedded/transforms/constants.xslt
+ create mode 100644 shared/checks/oval/installed_OS_is_openembedded.xml
+
+diff --git a/CMakeLists.txt b/CMakeLists.txt
+index 6b1ac00ff9..e4191f2cef 100644
+--- a/CMakeLists.txt
++++ b/CMakeLists.txt
+@@ -97,6 +97,7 @@ option(SSG_PRODUCT_UBUNTU1804 "If enabled, the Ubuntu 18.04 SCAP content will be
+ option(SSG_PRODUCT_UBUNTU2004 "If enabled, the Ubuntu 20.04 SCAP content will be built" ${SSG_PRODUCT_DEFAULT})
+ option(SSG_PRODUCT_UBUNTU2204 "If enabled, the Ubuntu 22.04 SCAP content will be built" ${SSG_PRODUCT_DEFAULT})
+ option(SSG_PRODUCT_UOS20 "If enabled, the Uos 20 SCAP content will be built" ${SSG_PRODUCT_DEFAULT})
++option(SSG_PRODUCT_OE "If enabled, the OpenEmbedded SCAP content will be built" ${SSG_PRODUCT_DEFAULT})
+ 
+ 
+ option(SSG_CENTOS_DERIVATIVES_ENABLED "If enabled, CentOS derivative content will be built from the RHEL content" TRUE)
+@@ -291,6 +292,7 @@ message(STATUS "Ubuntu 18.04: ${SSG_PRODUCT_UBUNTU1804}")
+ message(STATUS "Ubuntu 20.04: ${SSG_PRODUCT_UBUNTU2004}")
+ message(STATUS "Ubuntu 22.04: ${SSG_PRODUCT_UBUNTU2204}")
+ message(STATUS "Uos 20: ${SSG_PRODUCT_UOS20}")
++message(STATUS "OpenEmbedded: ${SSG_PRODUCT_OE}")
+ 
+ 
+ message(STATUS " ")
+@@ -409,6 +411,9 @@ endif()
+ if(SSG_PRODUCT_UOS20)
+     add_subdirectory("products/uos20" "uos20")
+ endif()
++if (SSG_PRODUCT_OE)
++    add_subdirectory("products/openembedded" "openembedded")
++endif()
+ 
+ # ZIP only contains source datastreams and kickstarts, people who
+ # want sources to build from should get the tarball instead.
+diff --git a/build_product b/build_product
+index fc793cbe70..7bdc03edfe 100755
+--- a/build_product
++++ b/build_product
+@@ -333,6 +333,7 @@ all_cmake_products=(
+ 	UBUNTU2204
+ 	UOS20
+ 	MACOS1015
++	OPENEMBEDDED
+ )
+ 
+ DEFAULT_OVAL_MAJOR_VERSION=5
+diff --git a/products/openembedded/CMakeLists.txt b/products/openembedded/CMakeLists.txt
+new file mode 100644
+index 0000000000..1981adf53e
+--- /dev/null
++++ b/products/openembedded/CMakeLists.txt
+@@ -0,0 +1,6 @@
++# Sometimes our users will try to do: "cd openembedded; cmake ." That needs to error in a nice way.
++if ("${CMAKE_SOURCE_DIR}" STREQUAL "${CMAKE_CURRENT_SOURCE_DIR}")
++    message(FATAL_ERROR "cmake has to be used on the root CMakeLists.txt, see the Building ComplianceAsCode section in the Developer Guide!")
++endif()
++
++ssg_build_product("openembedded")
+diff --git a/products/openembedded/product.yml b/products/openembedded/product.yml
+new file mode 100644
+index 0000000000..debf6870ef
+--- /dev/null
++++ b/products/openembedded/product.yml
+@@ -0,0 +1,19 @@
++product: openembedded
++full_name: OpemEmbedded 
++type: platform
++
++benchmark_id: OPENEMBEDDED
++benchmark_root: "../../linux_os/guide"
++
++profiles_root: "./profiles"
++
++pkg_manager: "dnf"
++
++init_system: "systemd"
++
++cpes_root: "../../shared/applicability"
++cpes:
++  - openembedded:
++      name: "cpe:/o:openembedded:nodistro:"
++      title: "OpenEmbedded nodistro"
++      check_id: installed_OS_is_openembedded
+diff --git a/products/openembedded/profiles/standard.profile b/products/openembedded/profiles/standard.profile
+new file mode 100644
+index 0000000000..fcb9e0e5c2
+--- /dev/null
++++ b/products/openembedded/profiles/standard.profile
+@@ -0,0 +1,166 @@
++documentation_complete: true
++
++title: 'Sample Security Profile for OpenEmbedded Distros'
++
++description: |-
++    This profile is an sample for use in documentation and example content.
++    The selected rules are standard and should pass quickly on most systems.
++
++selections:
++    - file_owner_etc_passwd
++    - file_groupowner_etc_passwd
++    - service_crond_enabled
++    - file_groupowner_crontab
++    - file_owner_crontab
++    - file_permissions_crontab
++    - file_groupowner_cron_hourly
++    - file_owner_cron_hourly
++    - file_permissions_cron_hourly
++    - file_groupowner_cron_daily
++    - file_owner_cron_daily
++    - file_permissions_cron_daily
++    - file_groupowner_cron_weekly
++    - file_owner_cron_weekly
++    - file_permissions_cron_weekly
++    - file_groupowner_cron_monthly
++    - file_owner_cron_monthly
++    - file_permissions_cron_monthly
++    - file_groupowner_cron_d
++    - file_owner_cron_d
++    - file_permissions_cron_d
++    - file_groupowner_cron_allow
++    - file_owner_cron_allow
++    - file_cron_deny_not_exist
++    - file_groupowner_at_allow
++    - file_owner_at_allow
++    - file_at_deny_not_exist
++    - file_permissions_at_allow
++    - file_permissions_cron_allow
++    - file_groupowner_sshd_config
++    - file_owner_sshd_config
++    - file_permissions_sshd_config
++    - file_permissions_sshd_private_key
++    - file_permissions_sshd_pub_key
++    - sshd_set_loglevel_verbose
++    - sshd_set_loglevel_info
++    - sshd_max_auth_tries_value=4
++    - sshd_set_max_auth_tries
++    - sshd_disable_rhosts
++    - disable_host_auth
++    - sshd_disable_root_login
++    - sshd_disable_empty_passwords
++    - sshd_do_not_permit_user_env
++    - sshd_idle_timeout_value=15_minutes
++    - sshd_set_idle_timeout
++    - sshd_set_keepalive
++    - var_sshd_set_keepalive=0
++    - sshd_set_login_grace_time
++    - var_sshd_set_login_grace_time=60
++    - sshd_enable_warning_banner
++    - sshd_enable_pam
++    - sshd_set_maxstartups
++    - var_sshd_set_maxstartups=10:30:60
++    - sshd_set_max_sessions
++    - var_sshd_max_sessions=10
++    - accounts_password_pam_minclass
++    - accounts_password_pam_minlen
++    - accounts_password_pam_retry
++    - var_password_pam_minclass=4
++    - var_password_pam_minlen=14
++    - locking_out_password_attempts
++    - accounts_password_pam_pwhistory_remember_password_auth
++    - accounts_password_pam_pwhistory_remember_system_auth
++    - var_password_pam_remember_control_flag=required
++    - var_password_pam_remember=5
++    - set_password_hashing_algorithm_systemauth
++    - var_accounts_maximum_age_login_defs=365
++    - accounts_password_set_max_life_existing
++    - var_accounts_minimum_age_login_defs=7
++    - accounts_password_set_min_life_existing
++    - var_accounts_password_warn_age_login_defs=7
++    - account_disable_post_pw_expiration
++    - var_account_disable_post_pw_expiration=30
++    - no_shelllogin_for_systemaccounts
++    - accounts_tmout
++    - var_accounts_tmout=15_min
++    - accounts_root_gid_zero
++    - accounts_umask_etc_bashrc
++    - use_pam_wheel_for_su
++    - sshd_allow_only_protocol2
++    - journald_forward_to_syslog
++    - journald_compress
++    - journald_storage
++    - service_auditd_enabled
++    - service_httpd_disabled
++    - service_vsftpd_disabled
++    - service_named_disabled
++    - service_nfs_disabled
++    - service_rpcbind_disabled
++    - service_slapd_disabled
++    - service_dhcpd_disabled
++    - service_cups_disabled
++    - service_ypserv_disabled
++    - service_rsyncd_disabled
++    - service_avahi-daemon_disabled
++    - service_snmpd_disabled
++    - service_squid_disabled
++    - service_smb_disabled
++    - service_dovecot_disabled
++    - banner_etc_motd
++    - login_banner_text=cis_banners
++    - banner_etc_issue
++    - login_banner_text=cis_banners
++    - file_groupowner_etc_motd
++    - file_owner_etc_motd
++    - file_permissions_etc_motd
++    - file_groupowner_etc_issue
++    - file_owner_etc_issue
++    - file_permissions_etc_issue
++    - ensure_gpgcheck_globally_activated
++    - package_aide_installed
++    - aide_periodic_cron_checking
++    - grub2_password
++    - file_groupowner_grub2_cfg
++    - file_owner_grub2_cfg
++    - file_permissions_grub2_cfg
++    - require_singleuser_auth
++    - require_emergency_target_auth
++    - disable_users_coredumps
++    - configure_crypto_policy
++    - var_system_crypto_policy=default_policy
++    - dir_perms_world_writable_sticky_bits
++    - file_permissions_etc_passwd
++    - file_owner_etc_shadow
++    - file_groupowner_etc_shadow
++    - file_groupowner_etc_group
++    - file_owner_etc_group
++    - file_permissions_etc_group
++    - file_groupowner_etc_gshadow
++    - file_owner_etc_gshadow
++    - file_groupowner_backup_etc_passwd
++    - file_owner_backup_etc_passwd
++    - file_permissions_backup_etc_passwd
++    - file_groupowner_backup_etc_shadow
++    - file_owner_backup_etc_shadow
++    - file_permissions_backup_etc_shadow
++    - file_groupowner_backup_etc_group
++    - file_owner_backup_etc_group
++    - file_permissions_backup_etc_group
++    - file_groupowner_backup_etc_gshadow
++    - file_owner_backup_etc_gshadow
++    - file_permissions_unauthorized_world_writable
++    - file_permissions_ungroupowned
++    - accounts_root_path_dirs_no_write
++    - root_path_no_dot
++    - accounts_no_uid_except_zero
++    - file_ownership_home_directories
++    - file_groupownership_home_directories
++    - no_netrc_files
++    - no_rsh_trust_files
++    - account_unique_id
++    - group_unique_id
++    - group_unique_name
++    - wireless_disable_interfaces
++    - package_firewalld_installed
++    - service_firewalld_enabled
++    - package_iptables_installed
+diff --git a/products/openembedded/transforms/constants.xslt b/products/openembedded/transforms/constants.xslt
+new file mode 100644
+index 0000000000..152571e8bb
+--- /dev/null
++++ b/products/openembedded/transforms/constants.xslt
+@@ -0,0 +1,10 @@
++<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
++
++<xsl:include href="../../../shared/transforms/shared_constants.xslt"/>
++
++<xsl:variable name="product_long_name">OpenEmbedded</xsl:variable>
++<xsl:variable name="product_short_name">openembedded</xsl:variable>
++<xsl:variable name="product_stig_id_name">empty</xsl:variable>
++<xsl:variable name="prod_type">openembedded</xsl:variable>
++
++</xsl:stylesheet>
+diff --git a/shared/checks/oval/installed_OS_is_openembedded.xml b/shared/checks/oval/installed_OS_is_openembedded.xml
+new file mode 100644
+index 0000000000..11ebdca913
+--- /dev/null
++++ b/shared/checks/oval/installed_OS_is_openembedded.xml
+@@ -0,0 +1,33 @@
++<def-group>
++  <definition class="inventory" id="installed_OS_is_openembedded" version="1">
++    <metadata>
++      <title>OpenEmbedded</title>
++      <affected family="unix">
++        <platform>multi_platform_all</platform>
++      </affected>
++      <description>The operating system installed is an OpenEmbedded based system</description>
++    </metadata>
++    <criteria comment="System is OpenEmbedded based" operator="AND">
++      <extend_definition comment="Installed OS is part of the Unix family" definition_ref="installed_OS_is_part_of_Unix_family" />
++      <criterion comment="OpenEmbedded distro" test_ref="test_os_openembedded" />
++      <criterion comment="OpenEmbedded is installed" test_ref="test_openembedded" />
++    </criteria>
++  </definition>
++
++  <unix:file_test check="all" check_existence="all_exist" comment="/etc/os-release exists" id="test_os_openembedded" version="1">
++    <unix:object object_ref="obj_os_openembedded" />
++  </unix:file_test>
++  <unix:file_object comment="check /etc/os-release file" id="obj_os_openembedded" version="1">
++    <unix:filepath>/etc/os-release</unix:filepath>
++  </unix:file_object>
++
++  <ind:textfilecontent54_test check="all" check_existence="at_least_one_exists" comment="Check OpenEmbedded" id="test_openembedded" version="1">
++    <ind:object object_ref="obj_openembedded" />
++  </ind:textfilecontent54_test>
++  <ind:textfilecontent54_object id="obj_openembedded" version="1" comment="Check OpenEmbedded">
++    <ind:filepath>/etc/os-release</ind:filepath>
++    <ind:pattern operation="pattern match">^ID=nodistro$</ind:pattern>
++    <ind:instance datatype="int">1</ind:instance>
++  </ind:textfilecontent54_object>
++
++</def-group>
+diff --git a/shared/checks/oval/sysctl_kernel_ipv6_disable.xml b/shared/checks/oval/sysctl_kernel_ipv6_disable.xml
+index affb9770cb..4f22df262c 100644
+--- a/shared/checks/oval/sysctl_kernel_ipv6_disable.xml
++++ b/shared/checks/oval/sysctl_kernel_ipv6_disable.xml
+@@ -8,6 +8,7 @@
+ 	<platform>multi_platform_debian</platform>
+ 	<platform>multi_platform_example</platform>
+ 	<platform>multi_platform_fedora</platform>
++	<platform>multi_platform_openembedded</platform>
+ 	<platform>multi_platform_opensuse</platform>
+ 	<platform>multi_platform_ol</platform>
+ 	<platform>multi_platform_rhcos</platform>
+diff --git a/ssg/constants.py b/ssg/constants.py
+index f66ba008fa..630fbdfcb9 100644
+--- a/ssg/constants.py
++++ b/ssg/constants.py
+@@ -219,6 +219,7 @@ FULL_NAME_TO_PRODUCT_MAPPING = {
+     "Ubuntu 20.04": "ubuntu2004",
+     "Ubuntu 22.04": "ubuntu2204",
+     "UnionTech OS Server 20": "uos20",
++    "OpenEmbedded": "openembedded",
+     "Not Applicable" : "example"
+ }
+ 
+@@ -267,7 +268,7 @@ REFERENCES = dict(
+ 
+ MULTI_PLATFORM_LIST = ["rhel", "fedora", "rhv", "debian", "ubuntu",
+                        "opensuse", "sle", "ol", "ocp", "rhcos",
+-                       "example", "eks", "alinux", "uos", "anolis"]
++                       "example", "eks", "alinux", "uos", "anolis", "openembedded"]
+ 
+ MULTI_PLATFORM_MAPPING = {
+     "multi_platform_alinux": ["alinux2", "alinux3"],
+@@ -285,6 +286,7 @@ MULTI_PLATFORM_MAPPING = {
+     "multi_platform_sle": ["sle12", "sle15"],
+     "multi_platform_ubuntu": ["ubuntu1604", "ubuntu1804", "ubuntu2004", "ubuntu2204"],
+     "multi_platform_uos": ["uos20"],
++    "multi_platform_openembedded": ["openembedded"],
+ }
+ 
+ RHEL_CENTOS_CPE_MAPPING = {
+@@ -454,6 +456,7 @@ MAKEFILE_ID_TO_PRODUCT_MAP = {
+     'ocp': 'Red Hat OpenShift Container Platform',
+     'rhcos': 'Red Hat Enterprise Linux CoreOS',
+     'eks': 'Amazon Elastic Kubernetes Service',
++    'openembedded': 'OpenEmbedded',
+ }
+ 
+ # References that can not be used with product-qualifiers
+-- 
+2.34.1
+
diff --git a/meta-security/recipes-compliance/scap-security-guide/scap-security-guide_0.1.69.bb b/meta-security/recipes-compliance/scap-security-guide/scap-security-guide_0.1.67.bb
index ac839dee44..988e48bd81 100644
--- a/meta-security/recipes-compliance/scap-security-guide/scap-security-guide_0.1.69.bb
+++ b/meta-security/recipes-compliance/scap-security-guide/scap-security-guide_0.1.67.bb
@@ -6,10 +6,11 @@ HOME_URL = "https://www.open-scap.org/security-policies/scap-security-guide/"
 LIC_FILES_CHKSUM = "file://LICENSE;md5=9bfa86579213cb4c6adaffface6b2820"
 LICENSE = "BSD-3-Clause"
 
-SRCREV = "d09e81ae00509a9be4b01359166cfbece06e47f4"
+SRCREV = "3a1012bc9ec2b01b3b71c6feefd3cff0f52bd64d"
 SRC_URI = "git://github.com/ComplianceAsCode/content.git;branch=master;protocol=https \
            file://run_eval.sh \
            file://run-ptest \
+           file://0001-scap-security-guide-add-openembedded-distro-support.patch \
            file://0002-scap-security-guide-Add-Poky-support.patch \
            "
 
@@ -21,14 +22,9 @@ B = "${S}/build"
 
 inherit cmake pkgconfig python3native python3targetconfig ptest
 
-STAGING_OSCAP_BUILDDIR = "${TMPDIR}/work-shared/openscap/oscap-build-artifacts"
-export OSCAP_CPE_PATH="${STAGING_OSCAP_BUILDDIR}${datadir_native}/openscap/cpe"
-export OSCAP_SCHEMA_PATH="${STAGING_OSCAP_BUILDDIR}${datadir_native}/openscap/schemas"
-export OSCAP_XSLT_PATH="${STAGING_OSCAP_BUILDDIR}${datadir_native}/openscap/xsl"
-
 OECMAKE_GENERATOR = "Unix Makefiles"
 
-EXTRA_OECMAKE += "-DENABLE_PYTHON_COVERAGE=OFF -DSSG_PRODUCT_DEFAULT=OFF -DSSG_PRODUCT_OPENEMBEDDED=ON"
+EXTRA_OECMAKE += "-DENABLE_PYTHON_COVERAGE=OFF -DSSG_PRODUCT_DEFAULT=OFF -DSSG_PRODUCT_OE=ON"
 
 do_configure[depends] += "openscap-native:do_install"
 
diff --git a/meta-security/recipes-mac/ccs-tools/ccs-tools_1.8.9.bb b/meta-security/recipes-mac/ccs-tools/ccs-tools_1.8.9.bb
index 8185e51047..ff800ce9ef 100644
--- a/meta-security/recipes-mac/ccs-tools/ccs-tools_1.8.9.bb
+++ b/meta-security/recipes-mac/ccs-tools/ccs-tools_1.8.9.bb
@@ -23,7 +23,7 @@ do_make(){
 }
 
 do_install(){
-    oe_runmake INSTALLDIR=${D}  USRLIBDIR=${libdir} SBINDIR=${sbindir} install
+    oe_runmake INSTALLDIR=${D}  USRLIBDIR=${libdir} install
 }
 
 PACKAGE="${PN} ${PN}-dbg ${PN}-doc"
diff --git a/meta-security/recipes-security/paxctl/paxctl/0001-To-fix-package-error-if-DESTDIR-is-set-to-usr.patch b/meta-security/recipes-security/paxctl/paxctl/0001-To-fix-package-error-if-DESTDIR-is-set-to-usr.patch
deleted file mode 100644
index 451cb7f96f..0000000000
--- a/meta-security/recipes-security/paxctl/paxctl/0001-To-fix-package-error-if-DESTDIR-is-set-to-usr.patch
+++ /dev/null
@@ -1,26 +0,0 @@
-From 824c5d7b96aeef1b4e182f657ac002bed6e14cd5 Mon Sep 17 00:00:00 2001
-From: Lei Maohui <leimaohui@fujitsu.com>
-Date: Thu, 31 Aug 2023 08:20:56 +0000
-Subject: [PATCH] To fix package error if DESTDIR is set to /usr.
-
-Upstream-Status: Inappropriate
-Signed-off-by: Lei Maohui <leimaohui@fujitsu.com>
----
- Makefile | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/Makefile b/Makefile
-index 0d7bc0c..46fd664 100644
---- a/Makefile
-+++ b/Makefile
-@@ -19,7 +19,7 @@ $(PROG).o: $(PROG).c $(PROG).h $(PROG)-elf.c
-
- install: $(PROG)
- #	$(MKDIR) $(DESTDIR)/sbin $(DESTDIR)$(MANDIR)
--	$(INSTALL) -D --owner 0 --group 0 --mode a=rx $(PROG) $(DESTDIR)/sbin/$(PROG)
-+	$(INSTALL) -D --owner 0 --group 0 --mode a=rx $(PROG) $(DESTDIR)/usr/sbin/$(PROG)
-	$(INSTALL) -D --owner 0 --group 0 --mode a=r $(PROG).1 $(DESTDIR)/$(MANDIR)/$(PROG).1
-
- clean:
---
-2.34.1
diff --git a/meta-security/recipes-security/paxctl/paxctl_0.9.bb b/meta-security/recipes-security/paxctl/paxctl_0.9.bb
index 3d2f2a36c4..5c9aff1558 100644
--- a/meta-security/recipes-security/paxctl/paxctl_0.9.bb
+++ b/meta-security/recipes-security/paxctl/paxctl_0.9.bb
@@ -8,9 +8,7 @@ LIC_FILES_CHKSUM = "file://paxctl.c;beginline=1;endline=5;md5=0ddd065c61020dda79
                     file://paxctl-elf.c;beginline=1;endline=5;md5=99f453ce7f6d1687ee808982e2924813 \
 		   "
 
-SRC_URI = "http://pax.grsecurity.net/${BP}.tar.gz \
-           file://0001-To-fix-package-error-if-DESTDIR-is-set-to-usr.patch \
-"
+SRC_URI = "http://pax.grsecurity.net/${BP}.tar.gz"
 
 SRC_URI[md5sum] = "9bea59b1987dc4e16c2d22d745374e64"
 SRC_URI[sha256sum] = "a330ddd812688169802a3ba29e5e3b19956376b8f6f73b8d7e9586eb04423c2e"
author	Andrew Geissler <geissonator@yahoo.com>	2023-09-11 15:36:15 +0300
committer	Andrew Geissler <geissonator@yahoo.com>	2023-09-11 15:36:15 +0300
commit	80d41842d41c701edac5b2c768da574f260fa6a3 (patch)
tree	7d58015c844bd241f3c1737b1af0d4b53dfe8c67 /meta-security
parent	fc7e7973f3119e2bad511209aa336537dc5ffbed (diff)
download	openbmc-80d41842d41c701edac5b2c768da574f260fa6a3.tar.xz